The Cascading Effect of Vulnerability Discovery

The announcement of a Common Vulnerabilities and Exposures (CVE) identifier for a product often triggers a cascade of further vulnerability discoveries in the same product. This phenomenon, we are terming the cascading effect, is a significant factor in the cybersecurity landscape, with implications for threat intelligence, vulnerability management, and overall cybersecurity strategy.

The Cascading Effect: An Overview

The cascading effect refers to the pattern where the announcement of a vulnerability in a popular product leads to increased scrutiny from security researchers and malicious actors alike. This heightened attention often results in the discovery of additional vulnerabilities in the same product, creating a cascade of vulnerability announcements.

This effect can be attributed to several factors. First, the announcement of a CVE draws attention to potential weaknesses in the product, prompting further investigation. Second, the detailed information provided in CVE reports can provide clues that help researchers discover additional vulnerabilities. Finally, the popularity of the product can also contribute to the cascading effect, as widely used products are more likely to be scrutinized.

Case Studies of the Cascading Effect

Several instances in recent years illustrate the cascading effect of vulnerability discovery following the announcement of a CVE.

Apache Struts Vulnerabilities

In 2017, a vulnerability in the Apache Struts framework (CVE-2017-5638) was exploited in the wild, leading to significant data breaches. Following the announcement of this CVE, security researchers and malicious actors turned their attention to Apache Struts, leading to the discovery of additional vulnerabilities. For instance, a few months later, another critical vulnerability (CVE-2017-9805) was discovered in the framework.

Microsoft Windows CryptoAPI Spoofing Vulnerability

In January 2020, Microsoft announced a critical vulnerability in the Windows CryptoAPI (CVE-2020-0601). This announcement led to increased scrutiny of the CryptoAPI, resulting in the discovery of two additional vulnerabilities (CVE-2020-0605 and CVE-2020-0606) in the following months.

Transient Execution CPU Vulnerabilities

The transient execution CPU vulnerabilities provide a compelling case study. This series of vulnerabilities in computer systems, where a speculative execution optimization implemented in a microprocessor is exploited to leak secret data, began with the discovery of the Spectre vulnerability in January 2018. Following this, a multitude of different vulnerabilities have been identified, demonstrating the cascading effect of vulnerability discovery.

In March 2021, AMD security researchers discovered that the Predictive Store Forwarding algorithm in Zen 3 CPUs could be exploited by malicious applications to access data they shouldn’t be accessing. This vulnerability was assigned CVE-2021-0086.

In June 2021, two new vulnerabilities, Speculative Code Store Bypass (SCSB, CVE-2021-0086) and Floating Point Value Injection (FPVI, CVE-2021-0089), affecting all modern x86-64 CPUs both from Intel and AMD were discovered.

In August 2021, a vulnerability called “Transient Execution of Non-canonical Accesses” affecting certain AMD CPUs was disclosed. It was assigned CVE-2020-12965.

In October 2021, a vulnerability similar to Meltdown was disclosed to be affecting all AMD CPUs.

In March 2022, a new variant of the Spectre vulnerability called Branch History Injection was disclosed. It affects certain ARM64 CPUs and the following Intel CPU families: Cascade Lake, Ice Lake, Tiger Lake, and Alder Lake.

In March 2022, a vulnerability affecting a wide range of AMD CPUs was disclosed under CVE-2021-26341.

In June 2022, multiple MMIO Intel CPUs vulnerabilities related to execution in virtual environments were announced. The following CVEs were designated: CVE-2022-21123, CVE-2022-21125, CVE-2022-21166.

In July 2022, the Retbleed vulnerability was disclosed affecting Intel Core 6 to 8th generation CPUs and AMD Zen 1, 1+ and 2 generation CPUs.

In August 2022, the SQUIP vulnerability was disclosed affecting Ryzen 2000–5000 series CPUs.

In February 2023, a vulnerability affecting a wide range of AMD CPU architectures called “Cross-Thread Return Address Predictions” was disclosed.

In July 2023, a critical vulnerability in the Zen 2 AMD microarchitecture called Zenbleed was made public.

The discovery and subsequent announcement of each of these vulnerabilities led to increased scrutiny of the affected products, resulting in the discovery of additional vulnerabilities. This pattern of vulnerability discovery following the announcement of a CVE is a clear demonstration of the cascading effect in action.

Threat Actors

APT actors are particularly relevant in the context of the cascading effect of vulnerability discovery. When a CVE is announced, APT actors are among the first to take note. They understand that the announcement not only reveals a vulnerability but also signals that the product or system in question may have other, yet undiscovered, vulnerabilities. As such, APT actors often pivot their efforts towards these products, seeking to exploit the newly announced vulnerability and find new ones.

An example of this can be seen in the targeting of file transfer and Managed File Transfer (MFT) solutions. These solutions are frequently targeted by attackers, including APT actors, due to the sensitive information they often handle. For instance, the CL0P Ransomware Group, also known as TA505, has exploited zero-day vulnerabilities across a series of file transfer solutions since December 2020. This stolen information is used to extort victims to pay ransom demands. In 2023, CL0P claimed credit for the exploitation of vulnerabilities in both Fortra’s GoAnywhere Managed File Transfer (MFT) and Progress Software’s MOVEit Transfer solutions.

Mitigation

One approach to this problem could be to adapt existing risk assessment methodologies, such as the Common Vulnerability Scoring System (CVSS). The CVSS is a widely accepted standard for assessing the severity of computer system security vulnerabilities, and it provides a quantitative measure that reflects the characteristics of a vulnerability.

However, to account for the cascading effect and the specific threat posed by APT actors, we would need to extend this methodology to include additional factors. Here’s a proposed formula:

Risk Score = CVSS Score * Popularity Factor * Complexity Factor * Exposure Factor * Exploitability Factor

In this formula:

  • CVSS Score is the base score provided by the CVSS for a given vulnerability. This score reflects the severity of the vulnerability, considering factors like the impact on confidentiality, integrity, and availability, as well as the complexity of the attack, the need for user interaction, and the scope of the vulnerability.
  • Popularity Factor is a measure of how widely used the product is. This could be quantified based on market share data or the number of downloads, for example.
  • Complexity Factor is a measure of the complexity of the product. This could be quantified based on the number of features or the lines of code, for example.
  • Exposure Factor is a measure of how much sensitive data the product handles or has access to. This could be quantified based on the types of data the product handles (e.g., personal data, financial data) and the volume of this data.
  • Exploitability Factor is a measure of how easy it is to exploit a vulnerability in the product. This could be quantified based on factors like the product’s attack surface or the availability of exploit code.

Each of these factors would need to be normalized to a consistent scale (e.g., 0-10) to ensure they contribute appropriately to the overall risk score.

Conclusion

The cascading effect of vulnerability discovery following the announcement of a CVE is a significant phenomenon in the cybersecurity landscape. It is crucial for organizations to stay vigilant and continuously monitor their systems for vulnerabilities, even after patching a known issue. This is because the announcement of a CVE often triggers a cascade of further vulnerability discoveries in the same product. As such, organisations should not only focus on patching known vulnerabilities but also invest in proactive threat hunting and continuous monitoring to detect and address new vulnerabilities as they emerge.